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Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 

WHICHEVER IS LONGER. FROM THE MAILING DATE OF THIS COMMUNICATION. 
- Extensions of time may be available under ttie provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

• If NO period for reply is specified above, the maximum statutory period v^ill apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

• Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )|3 Responsive to communication(s) filed on 16 March 2004 . 
2a)\3 This action is FINAL. 2b)M This action is non-final. 

3) n Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11. 453 O.G. 213. 

Disposition of Claims 

4) IEI Claim(s) 1-22 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) n Claim(s) is/are allowed. 

6) S Claim(s) 1-22 is/are rejected. 
?)□ Claim(s) is/are objected to. 

8) D Claim{s) are subject to restriction and/or election requirement. 

Application Papers 

9) n The specification is objected to by the Examiner. 

10) 0 The drawing(s) filed on is/are: a)\Z\ accepted or b)n objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) 0 The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 
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3. n Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
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DETAILED ACTION 

Information Disclosure Statement 

1 . The information disclosure statements (IDS) submitted on July 6, 2004 and 
October 3, 2005 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the 
information disclosure statements are being considered by the examiner. 

Claim Rejections - 35 USC § 101 

2. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

Claims 5-13 are rejected under 35 U.S.C. 101 because the claimed invention is directed 

to non-statutory subject matter. The language of the claims raises a question as to 

whether the claim is directed merely to an abstract idea which would result in a practical 

application producing a concrete, useful, and tangible result to form the basis of 

statutory subject matter under 35 U.S.C. 101 . Thus claims 5-13 are rejected as being 

non-statutory because no tangible result is produced. 

Claim Rejections - 35 USC § 102 

3. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
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granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351 (a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

4. Claims 1-3, 5, 8, 9, 11-14, 17, 18 and 20-22 are rejected under 35 U.S.C. 102(e) 
as being anticipated by Mattsson (US Patent Application Publication 2003/0101355 A1). 

With respect to claim 1 , Mattson teaches an apparatus for empirically adjusting 
access to a database, said apparatus comprising: 

coupled to the database, a database discovery module for detemnining database 
structure and authorized accesses to the database (paragraphs 32 and 34-36); 

coupled to the database, a command monitoring module for monitoring actual 
accesses to the database (paragraphs 33 and 50); and 

coupled to the database discovery module and to the command monitoring 
module, an analysis module for comparing actual accesses with authorized accesses 
(paragraphs 37 and 42). 

With respect to claim 2, Mattson teaches the apparatus of claim 1 further 
comprising, coupled to the database discovery module and to the analysis module, a 
storage area for accumulating data generated by the command monitoring module 
(paragraph 33). 

With respect to claim 3, Mattson teaches the apparatus of claim 1 wherein the 
command monitoring module is a sniffer (paragraph 5). 
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With respect to claims 5 and 14, Mattson teaches: 

discovering authorized accesses to the database (paragraphs 32 and 34-36); 
observing actual accesses to the database (paragraphs 33 and 50); 
comparing actual accesses with authorized accesses (paragraphs 37 and 42); 

and 

adjusting authorized database accesses taking into account results of the 
comparing step (paragraphs 43, 44 and 46). 

With respect to claims 8 and 17, Mattson teaches wherein the discovering step 
uncovers any: 

tables of the database (paragraph 32); 

columns of the database (paragraph 32); 

authorized users of the database (paragraph 34); 

views of the database (paragraph 32); 

stored procedures of the database (paragraph 53); 

user-defined functions of the database (paragraph 53); and 

triggers of the database (paragraph 53). 

With respect to claims 9 and 18, Mattson teaches wherein the adjusting step 
comprises at least one of: 

suggesting revised database access control settings to a database administrator; 
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automatically hardening the database for all times of day (paragraph 48); 
automatically hardening the database selectively based on time of day; 
alerting a database administrator (paragraphs 43, 44 and 46); and 
continuing to monitor accesses to the database after conclusion of the observing 

step. 

With respect to claims 1 1 and 20, Mattson teaches wherein the database is 
automatically hardened using database specific application programming interfaces 
(paragraphs 46 and 48). 

With respect to claims 12 and 22, Mattson teaches wherein the observing step 
has a preselected duration (paragraph 50). 

With respect to claims 13 and 22, Mattson teaches wherein the observing step is 
performed until a preselected quantity of actual accesses have been observed 
(paragraphs 33 and 50). 

A preselected quantity can be any number of accesses, including just one 
access. 

Claim Rejections - 35 USC § 103 

5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 
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(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth In section 102 of this title, if the differences between the subject-matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

6. Claims 4,10 and 19 are rejected under 35 U.S.C. 103(a) as being unpatentable 

over Mattsson (US Patent Application Publication 2003/0101355 A1) in view of Low et 

al. ("DIDAFIT: Detecting Intrusions in Databases through Fingerprinting Transactions") 

CLow'). 

With respect to claim 4, Mattson teaches claim 1 . 

Mattson does not teach wherein the database is a relational database accessed 
by a structured query language. 

Low teaches a method for using fingerprints to detect illegitimate accesses to 
databases (see abstract) in which he teaches wherein the database is a relational 
database accessed by a structured query language (abstract). 

It would have been obvious to a person having ordinary skill in the art at the time 
the invention was made to have modified Mattson by the teaching of Low because 
wherein the database is a relational database accessed by a structured query language 
would enable a fingerprinting process to be used to detect anomalous database 
accesses involving SQL statements (Low, column 1, page 122). 

With respect to claims 10 and 19, Mattson as modified teaches wherein the 
database is automatically hardened using standard SQL commands (Low, abstract, 
page 126, column 1; Mattson, paragraphs 46 and 48). 
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7. Claims 6, 7, 15 and 16 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Mattsson (US Patent Application Publication 2003/0101355 A1) in 
view of Vaitzblit et al. (US Patent Application Publication 2005/0097149 A1) (Vaitzblif). 

With respect to claims 6 and 15, Mattson teaches claims 5 and 14. 

Mattson does not teach further comprising the step of generating at least one 
third party report based upon observing actual accesses to the database. 

Vaitzblit teaches a data audit system (see abstract), in which he teaches further 
comprising the step of generating at least one third party report based upon observing 
actual accesses to the database (paragraphs 1 1 and 48-51). 

It would have been obvious to a person having ordinary skill in the art at the time 
the invention was made to have modified Mattson by the teaching of Vaitzblit because 
teach further comprising the step of generating at least one third party report based 
upon observing actual accesses to the database would enable an efficient data audit 
system that would help organizations address data privacy and security issues 
(Vaitzblit, paragraph 7), and to additionally detect anomalies (Vaitzblit, paragraph 19). 

With respect to claims 7 and 16, Mattson as modified teaches wherein the 
adjusting step comprises offering to deny access to operations by certain users on 
database tables and columns that were authorized but were not observed during the 
observing step (Vaitzblit, paragraph 19; Mattson, paragraph 46). 



Application/Control Number: 10/802,646 
Art Unit: 2164 



Pages 



Conclusion 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Alicia M. Lewis whose telephone number is 571-272- 
5599. The examiner can normally be reached on Monday - Friday, 9 - 6:30, alternate 
Friday off. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Charles Rones can be reached on 571-272-4085. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 




Alicia Lewis 
August 18, 2006 



SAM RIMELL 
PRIMARV EXAMINER 



